This privacy notice explains who we are, how and why we collect, store and use personal information, your rights in relation to your personal information, and how to contact us and the authorities in the event you have a complaint.
In this notice the term ‘client’ refers to an organisation that has a contract to use WeThrive.
- Who we are
- The personal information we collect and use
- How we use your personal information
- Where your information is kept
- Your rights
- Keeping your personal information secure
- How to complain
Who we are
WeThrive Ltd is a UK company that helps clients to understand the needs and concerns of their people. To do this, we act as a data processor for clients. We also hold contact data for current and potential users of our service, and are responsible as a data controller for this information.
We are regulated under the General Data Protection Regulation.
The personal information we collect and use
People who visit and use our site
When you visit our websites or interact with an email that we send to you, we may collect information about how you interacted with our services. We use this information as part of our own commercial activity but do not share it with anyone else.
We may also gather statistics using standard technologies to help us monitor and improve our newsletters and email subscriptions. You will have the ability to unsubscribe from any repeat communications at any time.
Our site places a small text file or ‘cookie’ on your device so we can recognise you when you visit again. Temporary cookies may also be used in the WeThrive application to authenticate you as an authorised user after you have logged in.
You can control how your computer uses most cookies through the browser settings. Some features of WeThrive may not work properly if you disable cookies on our site.
Information from client organisations
WeThrive is contracted by its clients to process information about their people. We receive this data, usually categorised by team, department or other segments defined by the client. This data is used for the sole purpose of the service, for example to send surveys, produce reports, suggest action plans and learning resources, and help companies track their use.
Public information & third-party services
WeThrive may obtain information about you or end-users from third parties, such as public databases, social media platforms, third party data providers and our marketing partners. Examples of the information we may receive from other sources include device information (e.g. IP address and browser), location, behavioural data and demographic information. We may use this information, alone or in combination with other information described above, to develop or provide more relevant features or services or provide more relevant marketing and content to you.
How we use your personal information
For people in client organisations
Clients use WeThrive to survey their people and produce recommendations aimed at helping them have a better experience of work. To do this, we receive your personal information from your organisation. This will include your name, email address, and other identifiers the client might use to classify their people. We use this information to:
- Send you survey invitations, reminders and thank-you emails
- Provide the client with reports and analysis on the needs of their people
- Recommend action plans to the client
- Provide appropriate learning materials
- Help the client track the progress of action plans
Depending on whether the client is using the team version or the 121 version of WeThrive, survey scores may or may not be attributable directly to you. In the team version it is not possible to see the scores for any group containing fewer than four people. The 121 version identifies each person’s survey score. Free-text comments cannot be linked back to an individual in either version.
For clients of WeThrive
We use your personal information to:
- Supply, improve and support the services we provide
- Send you information, from which you can unsubscribe at any time
- Promote our services to you
- Communicate with you, provide support and provide our services
- Send you contracts or invoices (possibly via a secure payment provider)
As part of the process of using WeThrive you will upload your people data. Please note that we have no direct relationship with those people, and that you are responsible for ensuring you have any necessary permission for us to hold and process that information.
How long your personal information will be kept
We hold personal information on client contacts as long as we are providing the services to the client, or to comply with our legal obligations, enforce the terms of our contracts, resolve disputes or prevent abuse. We hold personal information on clients’ people for the duration of our contract with the client, and generally erase it within 90 days of the contract termination.
Reasons we can collect and use your personal information
There are different reasons for processing different categories of data:
- If you are not a WeThrive client we may have a legitimate interest in contacting you if you are a representative of another business, offering details of services through B2B marketing
- We process client contact data in order to perform our contractual obligations
- We process clients’ people data under our terms of service. As data controller, it is the responsibility of our clients to determine the lawful basis for the use of your personal information.
If you have any questions about the lawful basis on which we are processing your personal data, please contact Richard Adams, by email to firstname.lastname@example.org or by post to WeThrive, Sussex Innovation Centre, University of Sussex, Brighton, BN1 9SB.
Where your information is kept
We keep all marketing, product and customer data in secure systems.
For marketing and customer data we use Salesforce CRM and Pardot (a Salesforce company). Salesforce data is stored on their EU1 server based in Frankfurt, Germany / London, UK, and Pardot data is stored on Amazon Web Services in the US. Salesforce is part of the EU-US Privacy Shield framework.
The WeThrive software is hosted on Amazon Web Services, with data held on European servers in Ireland. Emails from WeThrive are sent via Sendgrid, and our support software is operated by Intercom. Both companies are part of the EU-US Privacy Shield framework.
For business emails and calendar management, we use Gmail by Google, who are part of the EU-US Privacy Shield framework.
You have a number of rights under the General Data Protection Regulation, including:
- fair processing of information, and transparency over how we use your data
- access to a copy of your personal information
- the right to correct any mistakes in your information
- the right to have your data erased in some cases
- you can opt out of direct marketing
- you can object to our continued processing of your personal information
- otherwise restrict our processing of your personal information in certain circumstances
Further information on these rights is available from the Information Commissioner’s Office.
Exercising these rights if we hold your information on behalf of a client
If you have been sent a WeThrive survey by your organisation you can make a subject access request (SAR) at any time to your organisation to find out more about the information we hold about you on their behalf.
Exercising these rights if you are a client
If you are a client of WeThrive, or have been in touch with us at any point, or believe that we may hold information about you for any other reason, you can make a SAR to us at any time.
SARs should be made in writing, addressed to Richard Adams, by email to email@example.com or by post to WeThrive, Sussex Innovation Centre, University of Sussex, Brighton, BN1 9SB.
You can make the request in person or someone can do it for you. In either case we need proof of identity, i.e. a copy of your driving licence or passport and a recent utility or credit card bill. If you are making the request on behalf of someone else we also need proof that you have been authorised to make the request.
WeThrive will respond to SARs fully within 30 calendar days, but will aim to acknowledge receipt within a week. This is what we will be able to tell you:
- Whether or not we hold any personal data about you
- A description of any personal data we have
- Details of what it is used for
- Details of how to access it and keep it up to date
- Details of how you can have it erased from our systems
If you would like to unsubscribe from any email newsletter you can do so at any time using the ‘unsubscribe’ button at the bottom of the email. It may take up to 24 hours for this to take place.
Keeping your personal information secure
We have appropriate systems to prevent unauthorised access to any data we hold. Anyone who processes your information will do so according to company procedures and has a duty of confidentiality. We have appropriate procedures to deal with any suspected security breach, and will notify you and the appropriate regulators of any possible breach when necessary.
It is your duty to keep any passwords secure, and not to share your login to WeThrive.
How to complain
We take great care to act ethically and hope that we will not raise any concerns about how we process your personal information. We also hope that we will be able to resolve any queries or concerns quickly and fully. You can contact Richard Adams, by email to firstname.lastname@example.org or by post to WeThrive, Sussex Innovation Centre, University of Sussex, Brighton, BN1 9SB.
You also have the right to raise a complaint with a supervisory authority. You can do this in the state where you work, where you normally live, or where you believe any infringement of data protection laws may have occurred.
In the UK you can contact the Information Commissioner via https://ico.org.uk/concerns/ or on 0303 123 1113.
This privacy notice was published on 16th May 2018. It may change from time to time – the latest version will always be available on request or via the footer of our website.